Severity: critical
Description: Apache Druid uses the Java logging library Apache Log4j, which has recently been identified to have a critical vulnerability that could lead to remote code execution (RCE). This vulnerability is triggered when an attacker can control any part of a log message. Due to the wide attack surface, it is critical that all Druid users patch or mitigate this vulnerability as soon as possible. The Log4j advisory is available at https://nvd.nist.gov/vuln/detail/CVE-2021-44228. Affected versions: Druid 0.22.0 and earlier are affected. Mitigation: We recommend that all users upgrade to Druid 0.22.1, which contains Apache Log4j 2.15.0. This version of Log4j has a fix for the vulnerability. If you are unable to upgrade Druid at this time, we recommend deploying a mitigation. Please refer to the Log4j announcement for details on possible mitigations: https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4. Different Log4j versions have different mitigation options. Check the "lib" directory of your Druid installation for the "log4j-core" jar to see what version of Log4j you have. Recent versions of Druid use Log4j 2.8.2. Two possible mitigations for Log4j 2.8.2 are: 1) Specify "%m{nolookups}" in the PatternLayout configuration of your log4j2.xml file. Druid installations may have multiple log4j2.xml files; be sure to update all of them. 2) Remove the JndiLookup and JndiManager classes from the log4j-core jar. These mitigations require a cluster restart to take effect. References: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org
